P3P 1.0: A New Standard in Online Privacy

How can we empower users with more control over their online
privacy?

The privacy of an individual's personal data on the Internet is a
top concern for business, government, media and the public. Opinion
surveys consistently show that privacy concerns are a leading
impediment to the further growth of Web-based commerce. Initial efforts
by Web sites to publicly disclose their privacy policies have had some
impact. But these policies are often difficult for users to locate and
understand, too lengthy for users to read, and change frequently
without notice.

P3P 1.0, developed by the World Wide Web Consortium, is emerging as
an industry standard providing a simple, automated way for users to
gain more control over the use of personal information on Web sites
they visit. At its most basic level, P3P is a standardized set of
multiple-choice questions covering all the major aspects of a Web
site's privacy policies. Taken together, they present a clear snapshot
of how a site handles personal information about its users.

P3P-enabled Web sites make this information available in a standard,
machine-readable format. P3P-enabled browsers can"read" this snapshot
automatically and compare it to the consumer's own set of privacy
preferences.

P3P enhances user control by putting privacy policies where users
can find them, in a form users can understand, and, most importantly,
enables users to act on what they see.

In short, the P3P specification brings ease and regularity to Web
users wishing to decide whether and under what circumstances to
disclose personal information. User confidence in online transactions
increases as they are presented with meaningful information and choices
about Web site privacy practices.

"The World Wide Web Consortium, the group that designs
standards for the Web, is creating a new way [P3P] for Web sites to
transmit the site's privacy policy automatically, and allow users to
signal only the information they are willing to share."
-- The New York Times 2/22/2000

The P3P standard is designed to do one job and do it well - to
communicate to users, simply and automatically, a Web site's stated
privacy policies, and how they compare with the user's own policy
preferences. This, in itself, is a major step forward.

P3P does not set minimum standards for privacy, nor can it monitor
whether sites adhere to their own stated procedures. Addressing all of
the complicated, fundamental issues surrounding privacy on the Web will
require the appropriate combination of technology, a legal framework
and self-regulatory practices.

The P3P 1.0 specification is now advancing through the W3C process
towards its final state as a W3C recommendation over the next year. The
experience of implementers and feedback from businesses, policy makers
and users around the world will be critical in shaping the final
technology design.

"In the context of proper legislation, P3P is the most
promising solution to cyberspace privacy. It will make it easy for
companies to explain their practices in a form that computers can read,
and make it easy for consumers to express their preferences in a way
that computers will automatically respect."
-- Professor Lawrence Lessig, Stanford Law School

P3P enables Web sites to translate their privacy practices into a
standardized, machine-readable format (Extensible Markup Language XML)
that can be retrieved automatically and easily interpreted by a user's
browser. Translation can be performed manually or with automated tools.
Once completed, simple server configurations enable the Web site to
automatically inform visitors that it supports P3P. See the P3P technical report for complete technical
specifications.

On the user side, P3P clients automatically fetch and read P3P
privacy policies on Web sites. A user's browser equipped for P3P can
check a Web site's privacy policy and inform the user of that site's
information practices. The browser could then automatically compare the
statement to the privacy preferences of the user, self-regulatory
guidelines, or a variety of legal standards from around the world. P3P
client software can be built into a Web browser, plug-ins, or other
software.

"The Platform for Privacy Preferences (P3P) is the
most sophisticated proposal that has been made from a technical
perspective so far to enhance privacy protection on the Web... [while]
it cannot replace a regulatory framework of legislation, contracts, or
codes of conduct... it [can] operate within such a framework."
-- Dr. Alexander Dix, LL.M., Commissioner for Data Protection and
Access to Information, State of Brandenburg, Germany

Available - now that the final standard is nearly
complete, software tools are already under development.

About W3C

The World Wide Web Consortium (W3C) was founded in 1994 by Tim
Berners-Lee, the inventor of the Web, to promote universal access and
to guide the Web's development with careful consideration for the novel
legal, commercial, and social issues raised by this technology.

A non-profit, industry-supported consortium it includes researchers
and engineers from more than 420 participating institutions W3C is
jointly administered by MIT's Laboratory for Computer Sciences
(MIT-LCS) in the U.S., the National Institute for Research in Computer
Science and Control (INRIA) in France, and Keio University in Japan.
W3C has developed and published more than twenty technological
recommendations for the Web, including HTML, XML, and CSS.

Note on this brochure and formats:

This brochure was prepared for the June 21, 2000 P3P interop event.
It is available as a single PDF file or as separate PDF files for each
page. The single file version must be reduced in order to print on 8.5
x 11 or A4 paper.